The recent announcement by the Turnbull government saw $230 million allocated to a host of policies that made up its new cyber security strategy. This is a great step forward from our tech-savvy prime minister and includes a raft of important and valuable measures. I, like so many of my industry peers and colleagues have commented following the cyber security strategy launch, believe it’s just not enough.
Don’t get me wrong, $230 million is a lot of money, and I applaud a government willing to address the problem, look forward and take action. But $230 million over four years equates to less than $60 million per year, and when we start to look at all the actions outlined in the strategy, we start to question how they can all be funded adequately.
Particularly, as the government’s strategy points out, if technology-enabled business models could create up to US$625 billion in economic activity per year by 2030 in Asia Pacific, representing 12 per cent of the region’s total projected GDP.
While the digital economy promises productivity gains, jobs and wealth creation, something sinister stands in its way; security, or the lack thereof. Cybercrime, including hacking, data breaches, and ransomware costs the global economy nearly $500 billion annually. Closer to home, cybercrime costs Australia between $1billion and $17billion a year, or roughly 1% of GDP. Organised crime, non-state and state actors, industrial espionage and cyber terrorism are all part of the mix; these groups aim to steal, to disrupt and to cause mayhem.
In an election year, this announcement is more about politics and drama than substance. The Department of Prime Minister and Cabinet could have looked at a rising scale of funding to match the increase in attacks we are seeing. Perhaps challenging the private sector to match funding dollar for dollar and providing tax breaks for this would put some more money behind the initiative.
Build the future of cyber defence
The government pointed out one of the major challenges facing cyber security in Australia, our critical shortage of skilled cyber security professionals. Key to this is tertiary education, as mentioned in the cyber security strategy. The aim is ambitious but the tools outlined lack detail, and more can be done. We need to build a nation of people who are educated about cybercrime and can join the fight against it.
Funding this skills shortage through tax breaks or subsidised fees for appropriate training and tertiary education would propel a larger pool of qualified personnel to help with the problem.
Awareness is one of the most important factors in preparing and adequately arming our businesses and consumers against cybercrime. Cyber defence can no longer solely remain the realm of the security or IT teams – it requires education, knowledge and awareness amongst all staff and all consumers on how to keep themselves safe.
The cyber security strategy outlined the need for awareness and education initiatives and campaigns, which is terrific, but again we can and should do so much more. We need financial and criminal penalties for senior management ignoring the problem.
Make it law
A cyber security strategy is nothing without data breach notification laws. Data breaches continue to affect every industry and businesses of every size. We need real action on the long proposed mandatory data breach notification laws. Data breaches and cyberattacks need to be made public, not simply to ‘name and shame’ but for the benefit of us all, so we can all learn from it.
Without notification laws, no company will freely admit to breaches. This is the biggest hurdle; if we aren’t going to talk about data breaches and cyberattacks, the business community is not going to understand it. Reporting and discussing data breaches will allow the industry as a whole to better discuss and educate. Take ransomware as an example; this is a challenge that has been widely discussed and analysed in public so we’re all more aware and able to tackle the problem.
Bringing notification into law could mean that those coming out and confirming data breaches against them could get advice and protection. Those not disclosing could be fined. Unless we bring stronger laws in place forcing the acceptance that cyber security is a problem, we can’t expect to address it.
Review. Every year.
The cyber security landscape is changing dramatically every year. Cyber criminals and the tools that they use are evolving, adapting and becoming increasingly more sophisticated. For this reason, a strategy for today is going to have little relevance in four years’ time. We need to review this every year. We need to identify and analyse the threats and put in place strategies that will help defend against them for the year ahead.
As the government points out in its cyber security strategy, all of us—governments, businesses, communities and individuals—need to tackle cyber security threats to make the most of online opportunities. Ultimately, though, the government holds the central responsibility for cyber security policy.
I applaud Mr Turnbull’s initiative and foresight. The cyber security strategy is a good mix of actions comprising public-private cyber security partnerships, intelligence sharing and innovation. Yet we are up against a multi-billion dollar enemy that grows stronger by the day. More resources, and pointedly a change in attitude at both the government and private sector levels is needed to reverse this malaise.
Zak Khan is the director of custom cyber defence at Trend Micro Australia and New Zealand. www.TrendMicro.com.au